408
submitted 1 year ago by chkno@lemmy.ml to c/privacy@lemmy.ml

Gmail prompt to provide phone number sounds like a threat

top 50 comments
sorted by: hot top controversial new old
[-] DoomBot5@lemmy.world 204 points 1 year ago

Dumb take. All it's warning you is that without those, you won't have a way to recover your account it you lose your password or if it's hacked and someone changes it.

[-] Matomo@lemmy.ml 70 points 1 year ago

Yeah, I'm all for bashing companies regarding privacy and whatnot, but this is just informing/warning you about account security.

load more comments (13 replies)
[-] Max_P@lemmy.max-p.me 29 points 1 year ago

People here don't realize how dumb the average user can be. I've helped countless people attempt to recover their accounts to which they forgot the password to because they were logged in on their computer and just went to it, and were shocked once they let the cookie expire.

Backup security questions? "Oh, I put random garbage there, there's no way I remember".

I've known people that end up with a new email more often than they end up with a new phone number for that exact reason. Or worse, they also got a new phone number without thinking about their 2FA SMS and lose a whole bunch of accounts.

With social engineering attacks all over the place, more and more companies just won't help you in the name of security.

Those users absolutely need to be nudged towards adding backup account recovery info.

[-] janonymous@lemmy.world 16 points 1 year ago

Yeah, probably, but I've noticed lots of sites use security as an excuse to get your phone number. For my work account Google forced me to enable 2FA for security reasons, but wouldn't allow the authenticator, only my phone number, until they had it. Then I was allowed to switch to the authenticator. That was not a setting my employer could change, either, they tried for half an hour.

Phone numbers are used to congregate the your data that's collected on different sites to one profile. I'm pretty sure that is the main reason Google and others are pushing you so hard to give it up.

load more comments (2 replies)
[-] Rexios@lemm.ee 12 points 1 year ago

Phone numbers are an attack vector. Especially for 2FA.

[-] Blizzard@lemmy.zip 7 points 1 year ago

There are other ways to recover an account. Google just wants to have your phone number, security is an excuse and use of fear mongering to get is pathetic and shameless.

[-] Jilanico@lemmy.world 6 points 1 year ago

Can you describe some alternatives to a recovery phone or email? Honest question.

[-] Blizzard@lemmy.zip 4 points 1 year ago

Secondary e-mail address, security questions, recovery key, physical key fob - from the top of my head. Better or worse, the point is - it doesn't have to be a phone number.

[-] newIdentity@sh.itjust.works 7 points 1 year ago* (last edited 1 year ago)

It's asking for a secondary email address or phone number. Security questions are insecure and probably the worst reset methode there is. Most users don't even know what a security key is so it's pretty pointless to mention it if only like 1% are actually using it and it could cause more confusion than it helps.

Edit: apparently it actually does ask for both. But it's not even mandatory. Its just a warning

load more comments (8 replies)
load more comments (3 replies)
[-] anteaters@feddit.de 38 points 1 year ago

Google can close your email account down at any time for any stupid reason they like and their nonexistant support will leave you standing in the rain without access to years of mails. Switch to a paid mailer with actual support ASAP

[-] TCB13@lemmy.world 23 points 1 year ago

I once paid for Lavabit email and it was then raided by the NSA/CIA/FBI (Snowden case) and they shut everything down. I lost access to my account and to a 3rd party account that had a considerable amount of money pending withdrawal. I was never able to get the money. Lesson learnt: paying for your email won't save you.

[-] ram@lemmy.ca 21 points 1 year ago

Ya, never trust US companies. Their government's crazy to jump in and take anything they want; you may not even know they took it.

[-] TCB13@lemmy.world 7 points 1 year ago

Well... Not sure if other gov won't act the same way in a similar situation.

[-] EngineerGaming@feddit.nl 6 points 1 year ago

I would rather say "do not trust companies that are in a jurisdiction friendly to yours".

[-] ono@lemmy.ca 21 points 1 year ago* (last edited 1 year ago)

Can confirm.

Google locked me out of my account for not giving them my phone number. Even though I used the correct password. Even though I verified myself through the recovery email, which has been the same for ages. Even though I wasn't using a VPN or connecting from a public network. Even though there was no reason to think my account or credentials were compromised.

They are, in fact, extorting phone numbers from people.

Thankfully, I don't depend on my google account for anything, but I'm still stuck receiving spam forwarded by gmail, because I can't log in to turn off forwarding. (I'll probably have to filter it out at some point.) I honestly hope they just delete my account after some months without a phone number.

[-] scottywh@lemmy.world 5 points 1 year ago

If you can't login they will definitely delete the account sooner or later.

They've been sending out notices recently talking about changes to their account inactivity policy saying just that.

[-] skullgiver@popplesburger.hilciferous.nl 4 points 1 year ago* (last edited 11 months ago)

[This comment has been deleted by an automated system]

load more comments (1 replies)
load more comments (3 replies)
[-] Blizzard@lemmy.zip 19 points 1 year ago

You could lose access to your X years of Gmail history with 2FA enabled if you lose your phone.

load more comments (4 replies)
[-] Fleppensteijn@feddit.nl 16 points 1 year ago

Creating a new Google account isn't even possible without a phone number anymore. I had a new account which I didn't use in a while and it decided I need some old phone number to confirm my log in. There's no way to log in, recover or delete the account. There's no way I'm putting my daily account to that risk by giving them whatever phone number I have now

load more comments (3 replies)
[-] fidodo@lemm.ee 15 points 1 year ago

Have you people never heard of a phone book? Phone numbers aren't sensitive information. If they want to scrape your phone number they can legally and trivially do so through public data sources. Google does plenty of sketchy things around privacy, but this isn't one of them, it's just about security.

[-] janonymous@lemmy.world 7 points 1 year ago

Is your mobile phone number in the phone book? Mine isn't. I guess you could use a landline number to prevent giving out information that isn't publicly available, but I'd wager most people using these sites these days use their mobile phones. Also even my landline isn't listed in the phone book.

load more comments (1 replies)
load more comments (2 replies)
[-] QuazarOmega@lemy.lol 13 points 1 year ago

Ransomware is getting smarter by the day!

load more comments (6 replies)
[-] KevonLooney@lemm.ee 11 points 1 year ago* (last edited 1 year ago)

No it doesn't. It means that your email is encrypted and they don't have a way to unlock it. If you don't add recovery info or print out your unlock codes, you will lose access. Just like it says.

2FA is more secure.

[-] TheHobbyist@lemmy.zip 38 points 1 year ago

What are you talking about? Google is not encrypting their emails, where did you get that info from?

[-] nbailey@lemmy.ca 6 points 1 year ago

Yeah, this has nothing to do with encryption, it’s because they refuse to have a support division that would be able to get people back into their accounts.

[-] stratoscaster@lemmy.zip 7 points 1 year ago

What? No, that's the whole point of 2FA. There is literally no other way to verify authorization otherwise because it's by-default incapable of verifying identity.

Knowing the previous password doesn't help because those are often found in password dumps.

This is true of any email service.

[-] Oszilloraptor@feddit.de 7 points 1 year ago

2FA is just a second password and has nothing to do with encryption. Can simply be removed.

They could bypass this authentication without problems, if they want. I lost my phone and my google business account got restored regardless of 2FA. It's just a button for the support. The problem is the identification, especially of private customers (dunno if they would even do that).

Encryption passwords aren't time-based either, they must be static.

load more comments (1 replies)
[-] hemko@lemmy.dbzer0.com 5 points 1 year ago* (last edited 1 year ago)

Yes but that has nothing to do with the data being encrypted and Google not having access to it. Their whole business runs around them having too much access to user data.

And yeah before you say anything, yeah the data is probably encrypted at rest which means nothing in this case.

[-] pe1uca@lemmy.pe1uca.dev 7 points 1 year ago

Is it really encrypted?

I'm guessing it's only for the account recovery to reset your password which should be hashed.

[-] Blizzard@lemmy.zip 15 points 1 year ago

Is it really encrypted?

Of course not, Google has full access to your e-mails and uses it the whole time.

[-] maniel@lemmy.ml 11 points 1 year ago

BuT cOrPoRaTiOnS tRaCk YoUr LoCaTiOn If yOu GiVe ThEm YouR nUmBeR

Like they'd need your phone number to do that when you probably already have a smartphone with Facebook installed

[-] MonkderZweite@feddit.ch 10 points 1 year ago

when you probably already have a smartphone with ~~Facebook~~ Play Store/Services installed

load more comments (1 replies)
[-] library_napper 9 points 1 year ago* (last edited 1 year ago)

Some of us don't install proprietary software..

load more comments (1 replies)
[-] sculd@beehaw.org 10 points 1 year ago

At this point I would say stay away from all Google services.

I even moved away from Gmail. It’s very liberating.

load more comments (3 replies)
[-] darkmatterstyx@lemmy.world 8 points 1 year ago

I have been slowly de-googling my life. I bought a domain, and have my email hosted on no-ip.com for like $15 a year now. Has been working great for the past 8 months. I have switched all my important login accounts to those accounts. I'm still keeping the spammy store logins and such on Google. The only thing worrying me about loosing with my Google account are all my app purchases going back back to the day it existed.

[-] PeroBasta@lemmy.world 5 points 1 year ago

Pirate them

[-] AdmiralShat@programming.dev 8 points 1 year ago

I hate how reliant I've become on my Gmail. My banking, all my accounts, my job, etc.

I think email should be regulated, because of how much of the modern world relies on them and you can get fucked over and locked out super easy, and trying to change the email on some services isn't just hard, it's impossible

load more comments (1 replies)
[-] HisNoodlyServant@beehaw.org 5 points 1 year ago

Didn't help me when my account got locked. Had 2fa and all the info they wanted and never got the account back. Fuck google.

[-] interdimensionalmeme@lemmy.ml 5 points 1 year ago

Using someone else's computer for receiving your mail... That's quite cringe !

[-] metaStatic@kbin.social 5 points 1 year ago

Thanks for reminding me to backup my emails locally and forward my gmail to proton, Good guy google.

[-] w2tpmf@kbin.social 8 points 1 year ago

Your proton account is susceptible to the same problem if your password gets compromised and you don't have a backup access method registered.

load more comments (1 replies)
[-] set_secret@lemmy.world 4 points 1 year ago

thank you for the reminder. I keep needing to do this.

load more comments
view more: next ›
this post was submitted on 06 Sep 2023
408 points (80.4% liked)

Privacy

31866 readers
354 users here now

A place to discuss privacy and freedom in the digital world.

Privacy has become a very important issue in modern society, with companies and governments constantly abusing their power, more and more people are waking up to the importance of digital privacy.

In this community everyone is welcome to post links and discuss topics related to privacy.

Some Rules

Related communities

Chat rooms

much thanks to @gary_host_laptop for the logo design :)

founded 5 years ago
MODERATORS